Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×
GNU is Not Unix

Slackware 14.2 Released, Still Systemd-Free (slackware.com) 179

sombragris writes: Slackware, the oldest GNU/Linux distribution still in active maintenance, was released just minutes ago. Slackware is noted for being the most Unix-like of all Linux distributions. While sporting kernel 4.4.14 and GCC 5.3, other goodies include Perl 5.22.2, Python 2.7.11, Ruby 2.2.5, Subversion 1.9.4, git-2.9.0, mercurial-3.8.2, KDE 4.14.21 (KDE 4.14.3 with kdelibs-4.14.21) Xfce 4.12.1... and no systemd!

According to the ChangeLog: "The long development cycle (the Linux community has lately been living in "interesting times," as they say) is finally behind us, and we're proud to announce the release of Slackware 14.2. The new release brings many updates and modern tools, has switched from udev to eudev (no systemd), and adds well over a hundred new packages to the system. Thanks to the team, the upstream developers, the dedicated Slackware community, and everyone else who pitched in to help make this release a reality." Grab the ISOs at a mirror near you. Enjoy!
The torrents page can be found here.
Programming

Ruby On Rails 5.0 Released (rubyonrails.org) 37

steveb3210 writes: Today, Ruby On Rails released version 5.0.0 of the platform. Major new features include ActionCable which brings support for WebSockets and a slimmed-down API-only mode From the official blog post:After six months of polish, four betas, and two release candidates, Rails 5.0 is finally done! It's taken hundreds of contributors and thousands of commits to get here, but what a destination: Rails 5.0 is without a doubt the best, most complete version of Rails yet. It's incredible that this community is still going so strong after so long. Thanks to everyone who helped get us here. [...] Note: As per our maintenance policy, the release of Rails 5.0 will mean that bug fixes will only apply to 5.0.x, regular security issues to 5.0.x and 4.2.x, and severe security issues also to 5.0.x and 4.2.x (but when 5.1 drops, to 5.1.x, 5.0.x, and 4.2.x). This means 4.1.x and below will essentially be unsupported! Ruby 2.2.2+ is now also the only supported version of Rails 5.0+.
Programming

Java, PHP, NodeJS, and Ruby Tools Compromised By Severe Swagger Vulnerability (threatpost.com) 97

"Researchers have discovered a vulnerability within the Swagger specification which may place tools based on NodeJS, PHP, Ruby, and Java at risk of exploit," warns ZDNet's blog Zero Day, adding "the severe flaw allows attackers to remotely execute code." Slashdot reader msm1267 writes: A serious parameter injection vulnerability exists in the Swagger Code Generator that could allow an attacker to embed executable code in a Swagger JSON file. The flaw affects NodeJS, Ruby, PHP, Java and likely other programming languages. Researchers at Rapid7 who found the flaw disclosed details...as well as a Metasploit module and a proposed patch for the specification. The matter was privately disclosed in April, but Rapid7 said it never heard a response from Swagger's maintainers.

Swagger produces and consumes RESTful web services APIs; Swagger docs can be consumed to automatically generate client-server code. As of January 1, the Swagger specification was donated to the Open API Initiative and became the foundation for the OpenAPI Specification. The vulnerability lies in the Swagger Code Generator, and specifically in that parsers for Swagger documents (written in JSON) don't properly sanitize input. Therefore, an attacker can abuse a developer's trust in Swagger to include executable code that will run once it's in the development environment.

EU

Ruby on Rails Creator Supports After-Work Email Bans (signalvnoise.com) 135

An anonymous reader writes: David Heinemeier Hansson, the creator of Ruby on Rails, is applauding talk of an after-work e-mail ban, writing that "the ever-expanding expectations for when someone is available have gotten out of hand... Work emails are ticking in at all sorts of odd hours and plenty of businesses are dysfunctional enough to believe they have a right to have those answered, whatever the hour. That's unhealthy, possibly even exploitative... Same goes for forcing everyone to work in an open office. The research is mounting on all the ills that come from persistent noise and interruptions from that arrangement."

While acknowledging that his firm's project management tool Basecamp has a "perfect storm" of features that can send emails and texts after hours, Hansson points out that at least version 3 (released in 2015) shipped with a scheduling feature that will hold notifications during weekends and other specified off-work periods. "What we need before we can even dream of having something like the French response is a change in attitudes. Less celebration of workaholism, more #WorkCanWait. More recognition that stress from unrealistic and unhealthy expectations and work habits is actually a real hazard to health and sanity."

Security

Hacker Magazine Phrack Returns After Four-year Hiatus (phrack.org) 32

Earthquake Retrofit quotes this report from The Register: More than four years since its previous issue, iconic hacker zine Phrack has published a new issue. Phrack issue number 69 contains articles from researchers Aaron Portnoy and Alisa Esage, as well as articles on OS X rootkits and exploiting Ruby on Rails...

First released in 1985 via BBS, Phrack has been staffed by dozens of editors and contributors in its three-plus decades. The long-running zine has also hosted a number of notable articles, including the famed Hacker Manifesto and Smashing The Stack For Fun And Profit.

Security

Huge Number Of Sites Imperiled By Critical Image-Processing Vulnerability (arstechnica.com) 104

Dan Goodin, reporting for Ars Technica: A large number of websites are vulnerable to a simple attack that allows hackers to execute malicious code hidden inside booby-trapped images. The vulnerability resides in ImageMagick, a widely used image-processing library that's supported by PHP, Ruby, NodeJS, Python, and about a dozen other languages. Many social media and blogging sites, as well as a large number of content management systems, directly or indirectly rely on ImageMagick-based processing so they can resize images uploaded by end users. According to developer and security researcher Ryan Huber, ImageMagick suffers from a vulnerability that allows malformed images to force a Web server to execute code of an attacker's choosing. Websites that use ImageMagick and allow users to upload images are at risk of attacks that could completely compromise their security. "The exploit is trivial, so we expect it to be available within hours of this post," Huber wrote in a blog post. He went on to say: "We have collectively determined that these vulnerabilities are available to individuals other than the person(s) who discovered them. An unknowable number of people having access to these vulnerabilities makes this a critical issue for everyone using this software."
Bug

MIT Bug Finder Uncovers Flaws In Web Apps In 64 Seconds (csoonline.com) 24

itwbennett quotes a report from CSO: A new tool from MIT exploits some of the idiosyncrasies in the Ruby on Rails programming framework to quickly uncover new ones, writes Katherine Noyes. In tests on 50 popular web applications written using Ruby on Rails, the system found 23 previously undiagnosed security flaws, and it took no more than 64 seconds to analyze any given program. Ruby on Rails is distinguished from other frameworks because it defines even its most basic operations in libraries. MIT's researchers took advantage of that fact by rewriting those libraries so that the operations defined in them describe their own behavior in a logical language.
Bug

Steam Hacker Says More Vulnerabilities Will Be Found (arstechnica.com) 37

An anonymous reader shares an article on Ars Technica: The teenager who grabbed headlines earlier this week for hacking a fake game listing on to Valve's Steam store says there are "definitely" more vulnerabilities to be found in the popular game distribution service. But he won't be the one to find them, thanks to what he sees as Valve "giv[ing] so little of a shit about people's [security] findings." Ruby Nealon, a 16-year-old university student from England, says that probing various corporate servers for vulnerabilities has been a hobby of his since the age of 11. His efforts came to the attention of Valve (and the wider world) after an HTML-based hack let him post a game called "Watch paint dry" on Steam without Valve's approval over the weekend."It looks like their website hasn't been updated for years," Nealon told Ars. "Compared to even other smaller Web startups, they're really lacking. This stuff was like the lowest of the lowest hanging fruit."
Linux

Confirmed: Microsoft and Canonical Partner To Bring Ubuntu To Windows 10 (zdnet.com) 492

Steven J. Vaughan-Nichols reports for ZDNet: According to sources at Canonical, Ubuntu Linux's parent company, and Microsoft, you'll soon be able to run Ubuntu on Windows 10. This will be more than just running the Bash shell on Windows 10. After all, thanks to programs such as Cygwin or MSYS utilities, hardcore Unix users have long been able to run the popular Bash command line interface (CLI) on Windows. With this new addition, Ubuntu users will be able to run Ubuntu simultaneously with Windows. This will not be in a virtual machine, but as an integrated part of Windows 10. [...] Microsoft and Canonical will not, however, sources say, be integrating Linux per se into Windows. Instead, Ubuntu will primarily run on a foundation of native Windows libraries. Update: 03/30 16:16 GMT by M : At its developer conference Build 2016, Microsoft on Wednesday confirmed that it is bringing native support for Bash on Windows 10. Scott Hanselman writes: This isn't Bash or Ubuntu running in a VM. This is a real native Bash Linux binary running on Windows itself. It's fast and lightweight and it's the real binaries. This is a genuine Ubuntu image on top of Windows with all the Linux tools I use like awk, sed, grep, vi, etc. It's fast and it's lightweight. The binaries are downloaded by you - using apt-get - just as on Linux, because it is Linux. You can apt-get and download other tools like Ruby, Redis, emacs, and on and on. This is brilliant for developers that use a diverse set of tools like me.
Open Source

GitHub Open Sources Their Internal Testing Tool (thenewstack.io) 62

destinyland writes: Last week GitHub released a new open source tool called Scientist, a Ruby-based library they've been using in-house for several years. "It's the most terrifying moment when you flip the switch," GitHub engineer Jesse Toth told one technology reporter, who notes that the tool is targeted at developers transitioning from a legacy system. "Scientist was born when GitHub engineers needed to rewrite the permissions code — one of the most critical systems in the GitHub application." The tool measures execution duration and other metrics for both test and production code during runtime, and Toth reports that they're now also developing new versions in Node.js, C#, and .Net..
Cloud

Ask Slashdot: What Are Your Experiences With Online IDEs For Web Development? 168

Qbertino writes: I'm toying with the thought of moving my web development (PHP, HTML, CSS, JavaScript with perhaps a little Python and Ruby thrown in) into the cloud. The upsides I expect would be: 1) No syncing hassles across machines. 2) No installation of toolchains to get working or back to work — a browser and a connection is all that would be required. 3) Easy teamwork. 4) Easy deployment. 5) A move to Chrome OS for ultra-cheap laptop goodness would become realistic.

Is this doable/feasible? What are your experiences? Note, this would be for professional web development, not hobbyist stuff. Serious interactive JS, non-trivial PHP/LAMP development, etc. Has anyone have real world experience doing something like this? Maybe even experience with moving to a completely web-centric environment with Chrome OS? What have you learned? What would you recommend? How has it impacted your productivity and what do you miss from the native pipelines? What keeps you in the cloud, and enables you to stay there? Are you working "totally cloud" with a team and if so, how does it work out/feel? Does it make sense? As for concrete solutions, I'm eyeing Cloud9, CodeAnywhere, CodeEnvy but also semi-FOSS stuff like NeutronDrive. Anything you would recommend for real world productivity? Have you tried this and moved back? If so, what are your experiences and what would need to be improved to make it worthwhile? Thanks for any insights.
Ruby

Ruby 2.3.0 Released (ruby-lang.org) 45

An anonymous reader writes: Ruby developers have announced the official release of Ruby 2.3.0. This release introduces a frozen string literal pragma, which is "a new magic comment and command line option to freeze all string literals in the source files." It also adds a safe navigation operator &. similar to what exists in C#, Groovy, and Swift. Ruby 2.3.0 also has many performance improvements. For more details, see the news file and the full changelog.
Programming

Revisiting Why Johnny Can't Code: Have We "Made the Print Too Small"? 270

theodp writes: In What is Computer Science?, the kickoff video for Facebook's new TechPrep diversity initiative, FB product manager Adriel Frederick explains how he was hooked-on-coding after seeing the magic of a BASIC PRINT statement. His simple BASIC example is a nice contrast to the more complicated JavaScript and Ruby examples that were chosen to illustrate Mark Zuckerberg's what-is-coding video for schoolkids. In How to Teach Your Baby to Read, the authors explain, "It is safe to say that in particular very young children can read, provided that, in the beginning, you make the print very big." So, is introducing coding to schoolkids with modern programming languages instead of something like BASIC (2006) or even (gasp!) spreadsheets (2002) the coding equivalent of "making the print too small" for a child to see and understand?
China

FBI and DOJ Drop Case Against Chinese-American Physicist 113

Required Snark writes: The FBI and Department of Justice have withdrawn their prosecution (or more accurately persecution) Dr. Xi Xiaoxing, former head of the Physics Department at Temple University, according to the New York Times. He was accused of attempting to transfer technology about a "pocket heater" to China. It is used in superconducting research.

The case fell apart because the evidence that the FBI had was not about a pocket heater. "In a sworn affidavit, one engineer, Ward S. Ruby, said he was uniquely qualified to identify a pocket heater. 'I am very familiar with this device, as I was one of the co-inventors,' he said." Apparently nobody in the FBI or DOJ bothered to verify that the information referred to the device in question: "Dr. Xi's lawyer, Peter Zeidenberg, said that despite the complexity, it appeared that the government never consulted with experts before taking the case to a grand jury. As a result, prosecutors misconstrued the evidence, he said."

Dr Xi was forced to step down from his position as the head of the department during the investigation. He was unable to work on his ongoing experiments and was branded a spy. What are the odds that anyone at the FBI or DOJ will face any personal or professional repercussions? If recent history is any guide they will not even issue a statement. When the case was withdrawn the option to refile was retained, a blatant attempt to save face and deny responsibility.
Programming

The Top 10 Programming Languages On GitHub, Over Time 132

An anonymous reader writes with a link to VentureBeat's article on the information that GitHub released this week about the top-ten languages used by GitHub's users, and how they've changed over the site's history. GitHub's chart shows the change in rank for programming languages since GitHub launched in 2008 all the way to what the site's 10 million users are using for coding today. To be clear, this graph doesn't show the definitive top 10 programming languages. Because GitHub has become so popular (even causing Google Code to shut down), however, it still paints a fairly accurate picture of programming trends over recent years. Trend lines aside, here are the top 10 programming languages on GitHub today: 1. JavaScript 2. Java 3. Ruby 4. PHP 5. Python 6. CSS 7. C++ 8. C# 9. C 10. HTML
DRM

Firefox 38 Arrives With DRM Required To Watch Netflix 371

An anonymous reader writes with this excerpt from VentureBeat: Mozilla today launched Firefox 38 for Windows, Mac, Linux, and Android. Notable additions to the browser include Digital Rights Management (DRM) tech for playing protected content in the HTML5 video tag on Windows, Ruby annotation support, and improved user interfaces on Android. Firefox 38 for the desktop is available for download now on Firefox.com, and all existing users should be able to upgrade to it automatically. As always, the Android version is trickling out slowly on Google Play. Note that there is a separate download for Firefox 38 without the DRM support. Our anonymous reader adds links to the release notes for desktop and Android.
Programming

Is It Worth Learning a Little-Known Programming Language? 267

Nerval's Lobster writes: Ask a group of developers to rattle off the world's most popular programming languages, and they'll likely name the usual suspects: JavaScript, Java, Python, Ruby, C++, PHP, and so on. Ask which programming languages pay the best, and they'll probably list the same ones, which makes sense. But what about the little-known languages and skill sets (Dice link) that don't leap immediately to mind but nonetheless support some vital IT infrastructure (and sometimes, as a result, pay absurdly well)? is it worth learning a relatively obscure language or skill set, on the hope that you can score one of a handful of well-paying jobs that require it? The answer is a qualified yes—so long as the language or skill set in question is clearly on the rise. Go, Swift, Rust, Julia and CoffeeScript have all enjoyed rising popularity, for example, which increases the odds that they'll remain relevant for at least the next few years. But a language without momentum behind it probably isn't worth your time, unless you want to learn it simply for the pleasure of learning something new.

Slashdot Top Deals